Tageszusammenfassung - 19.12.2022

End-of-Day report

Timeframe: Freitag 16-12-2022 18:00 - Montag 19-12-2022 18:00 Handler: Robert Waldner Co-Handler: Michael Schlagenhaufer


Infostealer Malware with Double Extension, (Sun, Dec 18th)

Got this file attachment this week pretending to be from HSBC Global Payments and Cash Management. The attachment payment_copy.pdf.z is a rar archive, kind of unusual with this type of file archive but when extracted, it comes out as a double extension with pdf.exe. The file is a trojan infostealer and detected by multiple scanning engines.


Day 3 - Next Level Font Obfuscation

Today I learned how to obfuscate text using custom fonts. I made a program to automatically create deceptive fonts to demonstrate their danger. Using a custom font, I was able to make a letter look like a different letter to trick a plagiarism checker while still being human-readable.



Venom is a C++ library that is meant to give an alternative way to communicate, instead of creating a socket that could be traced back to the process, it creates a new "hidden" (there is no window shown) detached edge process (edge was chosen because it is a browser that is installed on every Windows 10+ and wont raise suspicious) and stealing one of its sockets to perform the network operations.


Exploiting API Framework Flexibility

The modern frameworks are often very flexible with what they accept, and will happily treat a POST with a JSON body as interchangeable with a URL encoded body, or even with query parameters. Due to this, an unexploitable JSON XSS vector can sometimes be made exploitable by flipping it to one of these alternative approaches.


Fake Shops und Phishing-SMS: Die Betrugsmaschen im Online-Weihnachtsgeschäft

Weihnachten bedeutet auch wieder Hochsaison für Betrüger, die mit gefälschten Shops und irreführenden SMS auf das Geld ihrer Opfer aus sind.


BSI legt 19 IT-Grundschutz-Bausteine als Final Draft vor

Kurzer Hinweis für Administratoren und IT-Dienstleister, die im Unternehmensumfeld aktiv sind. Das Bundesamt für Sicherheit in der Informationstechnik (BSI) hat diese Woche 19 sogenannte IT-Grundschutz-Bausteine als sogenannte Final Drafts vorgelegt. Das reicht von .NET über Active Directory Domain Services bis hin zu Windows Server.



Cisco Security Advisories 2022-12-16 - 2022-12-18

Cisco has updated 9 security advisories: (1x Critical, 5x High, 3x Medium)


HP kümmert sich mit BIOS-Updates um Schadcode-Lücken

Sicherheitsupdates schließen mehrere Schwachstellen in HP-Computern. Einige Lücken betreffen ausschließlich AMD-Systeme.


Security updates for Monday

Security updates have been issued by Debian (chromium and thunderbird), Fedora (keylime, libarchive, libtasn1, pgadmin4, rubygem-nokogiri, samba, thunderbird, wireshark, and xorg-x11-server-Xwayland), Gentoo (curl, libreoffice, nss, unbound, and virtualbox), Mageia (advancecomp, couchdb, firefox, freerdp, golang, heimdal, kernel, kernel linus, krb5, leptonica, libetpan, python-slixmpp, thunderbird, and xfce4-settings), Oracle (firefox, nodejs:16, and thunderbird), Scientific Linux (firefox and thunderbird), Slackware (samba), SUSE (chromium and kernel), and Ubuntu (linux-oem-5.17).


Synology-SA-22:24 Samba AD DC

Multiple vulnerabilities allow remote attackers or remote authenticated users to bypass security constraint via a susceptible version of Synology Directory Server.


Citrix Hypervisor Security Bulletin for CVE-2022-3643, CVE-2022-42328 & CVE-2022-42329

Several security issues have been identified in Citrix Hypervisor 8.2 LTSR CU1, each of which may allow a privileged user in a guest VM to cause the host to become unresponsive or crash.


Zenphoto vulnerable to cross-site scripting


Corel Roxio Creator LJB starts a program with an unquoted file path


ZDI-22-1681: Autodesk 3DS Max SKP File Parsing Use-After-Free Remote Code Execution Vulnerability


DLL Search Order Hijacking Vulnerability in the DWG TrueView- Desktop Software


Vulnerabilities in PHP may affect IBM Spectrum Sentinel Anomaly Scan Engine (CVE-2021-21703, CVE-2021-21708, CVE-2021-21707, CVE-2022-31629, CVE-2022-31628)


IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2021-29469, CVE-2022-39160, CVE-2022-38708, CVE-2022-42003, CVE-2022-42004, CVE-2022-43883, CVE-2022-43887, CVE-2022-25647, CVE-2022-36364)


IBM DataPower Gateway vulnerable to HTTP request smuggling (CVE-2022-35256)


IBM DataPower Gateway potentially affected by CPU side-channel (CVE-2022-21166)


IBM DataPower Gateway subject to a memory leak in TCP source port generation (CVE-2022-1012)


IBM DataPower Gateway vulnerable to network state information leakage (CVE-2021-20322, CVE-2021-45485, CVE-2021-45486)


UDP source port randomization flaw in IBM DataPower Gateway (CVE-2020-25705)


Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator


IBM i Modernization Engine for Lifecycle Integration is vulnerable to multiple vulnerabilities